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(54) Titie: METHOD AND DEVICE FOR CRYPTOGRAPHICALLY PROCESSING DATA 
(57) Abstract 

In the event of 
cryptographically processing 
data, said data (X) and a key 
(K) are fed to a cryptographic 
process (P), which may be a 
known process. In order to 
veil the nature of the process 
(P), there are fed auxiliary 
values to the process, such 
as a supplementary key (K*), 
using which a supplementary 
process (P*) generates the key 
proper (K). The combination 
of the original process (P) and 
the supplementary process (P*) 
provides an unknown process, 
the relationship between the 
supplementary key (K*) and the 

processed data (Y) being unknown. As a result, there is obtained an improved cryptographic security. 
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Method and device for cryptographically procestslng data. 

BACKGROUND OF THE INVENTION 

Tlie invention relates to a method for cryptographically 
5 processing data, comprising feeding, to a cryptographic process, 

values, ncimely, the data and a key, and carrying out the process 
in order to form cryptographically processed data. Such method 
is generally knovm. 

For cryptographically processing data, in practice there 
10 are often applied generally known processes. Examples of such 

cryptographic processes (algorithms) are DES and RSA (DES = Data 
Encryption Standard and RSA = Rivest, Shamir & Adleman] , which 
are described, e.g., in the book "Applied Cryptography" by B. 
Schneier (2nd edition). New York, 1996. 
15 Said processes are published since it was assumed that, in 

the event of sufficiently large key lengths, it would be 
impossible, on the basis of the processed data, to retrieve the 
original data cuid/or the key, even if the cryptographic process 
were known . 

20 Recently, however, there were discovered attacks which are 

based on knowledge of the cryptographic process. In other words, 
since the behaviour of the process is known, in the event of 
certain attacks it becomes considerably more simple to derive the 
key used and/ or the original data. It will be understood that 

25 such is undesirable. 



SUMMARY OF THE INVENTION 

The object of the invention is to solve the aibove problem 
by indicating a method and circuit, for carrying out a 

30 cryptographic process, which render the derivation of the key in 

the event of application of a known (i.e., piiblic) cryptographic 
process considerably more difficult or even impossible. For this 
purpose, a method of the type referred to in the preamble 
according to the invention is characterised by feeding, to the 

35 process, auxiliary values in order to mask the values used in the 

process . 

By masking the date and/or key(s) it becomes considerably 
more difficult to derive said values on the basis of the 
behaviour of the process. The result of the process, i.e., the 
40 collection of processed data, in the event of a suitable choice 

of the auxiliary values may be unchamged, i.e., identical to the 
result of the process, if no auxiliary values have been fed to 
it. In this connection, an '^auxiliary value" is understood to 
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mean a value (data or key) which is fed to the process as a 

supplement to the corresponding data and key. 

The invention is therefore based on the insight that the 

derivation of the values used in a cryptographic process is 

rendered considerably more difficult if said values are masked 

using auxiliary values. 

The invention is partly based on the further insight that 

the use of auxiliary values does not necessarily affect the 

outcome of the process. 

In a first embodiment of the invention, an auxiliary value 

comprises a supplementary key which is fed to a supplementary 

process in order to form the key. 

By applying a combination of a known process and a 

supplementary process, there is formed a new cryptographic 
process, unknown per se, even if the supplementary process is 

also known per se. 

By deriving the key used for the known process (primary 
key) from a supplementary key (secondary key) using a 
supplementary process, there is achieved that not the (primary) 
key of the known process but the supplementary (secondary) key is 
offered to the combination of processes. In other words, 
externally the supplementary (secondary) key, and not the real 

(primary) key of the process proper, is used. Derivation of the 
key from the original data and the processed data has thereby 
become iiiipossible. In addition, the derivation of the 
supplementary key has been rendered seriously more difficult, 
since the combination of the original process and the 
supplementary process is not known. 

Said embodiment of the invention is therefore based, inter 
alia, on the insight that the being known of a cryptographic 
process is undesirable, such contrary to what was so far assumed. 
Said embodiment is also based on the further Insight that attacks 
which elaborate on knowledge of the process become considerably 
more difficult if the process is unknown. 

The supplementary process preferably comprises a 
cryptographic process. This renders the derivation of the 
supplementary key more difficult. Basically, however, a simple 
encoding may be applied, e.g., as a supplementa.ry process. In 
the event of a cryptographic process, there is preferably applied 
an atixiliary key. 

The supplementary process advantageously is cin invert ible 
process. This enables the application of the method according to 
the invention in existing equipment with minimum modifications. 
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If, e.g., a first device gives off a (supplementary) key which is 
applied in a second device according to the invention, then in 
the first device there may be used the inverse of the 
supplementary process to derive the supplementary key from the 
original key. In other words, although in both the first and the 
second device internally the original (primary) key is used, 
there is exchanged, between the devices, the supplementary 
(secondary) key. Intercepting the supplementary key, however, 
does not result in knowledge of the original key. 

It may be advantageous if carrying out the supplementary 
process takes place exclusively if the data has predetermined 
properties. In this manner, cryptographic processing may be 
carried out for specific, selected data only, while such is 
blocked for all other data. In this manner, there is achieved a 
supplementary protection. 

An optimum security is provided if the process and the 
supplementary process are each constructed of several steps and 
in which there are alternately carried out steps of the process 
and the supplementary process. As a result, the properties of 
the known process are further veiled, as a result of which the 
derivation of the keys is further complicated. 

In a second embodiment of the invention, the process 
con^rises several steps, each of which has a cryptographic 
operation for processing right-hand data derived from the data 
and a combinatory operation for containing, with the left-hand 
data derived from the data, the processed right-hand data in 
order to foinn modified left-hamd data, in which the right-hand 
data, prior to the first step, is combined with a primary 
auxiliary value and the left-hand data is combined with an 
additional auxiliary value. As a result, the data used in the 
steps and tramsf erred between the steps is masked. 

In order to mcike it possible for the primary and additional 
auxiliary values do not make themselves felt in the end result of 
the process, the right-hand data is combined, preferably 
immediately after the last step, with a further primary auxiliary 
value, and the modified left-hand data is combined with a further 
additional auxiliary value. 

In order not to have the result of the operations affected 
by the primary auxiliary values, the method according to the 
invention is preferably carried out in such a manner that the 
right-hand data, in each step and prior to the operation, is 
combined with the primary auxiliary value of said step. 
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A further protection is achieved if the processed right- 
hand data, following the processing, is combined with a secondary 
atixiliary value of said step, 

5 The secondary auxiliary value of a step is advantageously 

formed from the combination of the primary auxiliary value of the 
preceding step and the primary auxiliary value of the next step. 
As a result, it becomes possible to compensate the auxiliary 
value in the repeatedly next step, as a result of which said 
10 auxiliary value will not make itself felt in the end result of 

the process. 

It is possible to carry out the method according to the 
invention in such a maimer, that all primary auxiliary values are 
etjual. As a result, a very simple practical realisation ±s 

15 possible. The use of several auxiliary values, which are 

preferably random numbers and are generated anew for each time 
the process is caurried out, however, offers a greater 
cryptographic security, 

A further simplification of said embodiment may be obtained 

20 if the primary auxiliary values and/ or secondary auxiliary values 

repeatedly have been combined in advance with the operation in 
question. This is to say, combining with auxilxary values is 
processed in the operation in question (e.g., a substitution), in 
such a manner that the result of the operation in question is 

25 equal to that of the original operation plus one or two 

combinatory operations with auxiliary values . By in advance 
including in the operation the combinatory operations, a more 
simple and faster practical realisation is possible. 

Said combinatory operations are preferably carried out 

30 using an XOR operation [XOR = exclusive OR] . Other combinatory 

operations, however, such as binary adding, are basically 
possible as well. 

The invention further provides a circuit for carrying out a 
method for cryptographically processing data. In addition, the 

35 invention supplies a payment card and a payment terminal provided 

with such circuit - 

Below, the invention will be further explained on the basis 
of the exemplary embodiments shown in the figures. 



40 



BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 schematically shows a cryptographic process 
according to the prior art. 



o o 
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FIG, 2 schematically shows a first cryptographic process 
according to a first embodiment of the invention. 

FIG- 3 schematically shows a second cryptographic process 
according to a first embodiment of the invention. 
5 FIG. 4 schematically shows a way in which the processes of 

figures FIG. 1 and 2 may be carried out. 

FIG. 5 schematically shows a cryptographic process having 
several steps according to the prior art, 

FIG. 6 schematically shows a first cryptographic process 
10 according to a second embodiment of the invention. 

FIG. 7 schematically shows a second cryptographic process 
according to a second embodiment of the invention. 

FIG. 8 schematically shows a third cryptographic process 
according to a second embodiment of the invention. 
15 FIG- 9 schematically shows a circuit in which the invention 

is applied. 

FIG. 10 schematically shows a payment system in which the 
invention is applied. 

20 PREFERRED EMBQDIMEMTS 

A (cryptographic) process P according to the prior art is 
schematically shown in FIG. 1. To the process P, there are fed 
input data X and a key K. On the basis of the key K, the process 
P converts the input data X into (cryptographically) processed 

25 output data Y: Y = Pr (X) - The process P may be a known 

cryptographic process, such as DES (Data Encryption Standard) , 
triple DES, or RSA (Rivest, Shamir & Adleman) . 

If the input data X and the output data Y are known, it is 
basically possible to derive the key K used. In the event of a 

30 key of sufficient length (i.e., a sufficient nxuhber of bits), it 

was so far deemed impossible to derive said key, even if the 
process P were known. Impossible iii this case is to say that in 
theory it is admittedly possible, e.g., by trying out all 
possible keys, to retrieve the key used, but that such requires 

35 an impossibly long computational time. Such ^brute-force attack" 

is therefore hardly a threat to the cryptographic sec\irity. 

Attacks recently discovered, however, make use of knowledge 
of the process, as a result of which the number of possible keys 
may be reduced drastically. Deriving the key K used and/or the 

40 input data X from the output data Y therefore becomes possible 

within acceptable coinputational times. 

The principle of the invention, whose object it is to 
render such attacks considerably more difficult and time- 
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consuming, is schematically shown in FIG. 2. Just as in FIG. 1, 
to a (known) process P there are fed input data X emd a (secret) 
key K to generate output data Y. 

Contrary to the situation of FIG. 1, in the situation of 
5 FIG. 2 the key K is fed to the process P from a supplementary 

process P* . The supplementary process P* has a supplement aary 
(secondary) key K* as input data to produce, under the influence 
of an auxiliary key K' , the (primary) key K as output da.ta. The 
key K is therefore not fed, as is the case in the situation of 
10 FIG. 1, from an external source (e.g., a memory) to the process 

P, but is produced by the process P* from the supplementary 
(secondary) key K* : 

K = P*K' (K) . 

15 

It is therefore the secondary key K*, instead of the 
primary key K, which is predetennined and stored, e.g. , in a key 
memory (not shown) , According to the invention, the primary key 
K, which is fed to the process P, is not predetermined. 

20 The auxiliary key K' may be a permanently stored, 

predetermined key. It is also possible to apply a supplementary 
process P* in which no auxiliary key K' is used. 

The combination of the processes P and P* forms a new 
process which is schematically designated by Q. To the process Q 

25 which, on account of the supplementary process P*, is unknown per 

se, the input data X and the (secondary) key K* are fed to 
produce the output data Y. The relationship between the 
secondary key K* and the primary key K is veiled by the 
supplementary process P* . 

30 The supplementary process P* preferably is the inverse of 

another, invertible process R. This is to say: 

P* = R'^. 

35 This enables producing the secondary key K* from the 

primary key K using R and the auxiliary key K' : 

K* ^ Rr. (K) , 



40 



as will be further explained later by reference to FIG. 5. The 
new process Q may possibly be extended by the process R, in such 
a manner that the primary key K, instead of the secondary key K*, 
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is fed to the process Q. The primary key K in this case in the 
process Q is derived from: 

K = P*K. (K*) = P*K. {Rk'(K)) . 

5 

This enables using the same (primary) key as in the prior 

art . 

The cryptographic process Q according to the invention, 
schematically shown in FIG, 3, also comprises a process P having 

10 a primary key K and a supplementary process P* having an 

avDciliary key K' , the primary key K being derived from the 
supplementary key K* by the supplementary process P* . 
Supplementing the process of FIG. 1, in this case the input data 
X is also fed to the supplementary process P*, in such a manner 

15 that the primary key K is determined partly as a fiinction of the 

input data X: 

K = P*K' (K*,X) . 

20 As a result, there is obtained a supplementary 

cryptographic protection. In addition, as a result the 
possibility is offered to carry out the supplementary process P* 
exclusively if certain input data is offered. This is to say 
that the supplementary process P* may comprise a test of the 

25 input data X, and carrying out the supplementary process P* may 

depend on the result of said test. Thus, the supplementary 
process P* , e.g., may be carried out only if the last two bits of 
the input data X equal zero. The effect of such an input data- 
dependent operation is that only for certain input data X the 

30 correct primary key K will be produced in such a manner that only 

said input data will deliver the desired output data Y. It will 
be understood that as a result the cryptographic security is 
further enhanced. 

FIG. 4 schematically shows the way in which substeps of the 

35 processes P and P* may be carried out altematingly 

(** interleaving" ) in order to further enhance the protection 
against attacks. The substeps may include so-called * rounds " , 
such as, e.g., in the case of DBS, The siabsteps, however, 
preferably comprise only one or a few instructions of a program, 

40 with which the processes are being carried out. 

In a first step 101, there is carried out a first substep Pi 
of the process P. Subsequently, in a second step 102, the first 
substep Pi* of the supplementary process P* is carried out. 
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Likewise, in a third step 103, the second substep P2 of the 
process P is carried out etc. This continues until, in step 110, 
the last sijbstep Pn* of the supplementary process P* has been 
carried out, it being assumed, for the sake of the example, that 
5 the processes P and P* comprise an equal number of substeps. If 

such is not the case, in step 110 there is carried out the last 
corresponding substep, and in further steps the remaining 
substeps are carried out . 

By alternating the substeps of the process P, which is 

10 known per se, and the process P* (possibly known per se as well) , 

there may be obtained a series of substeps which does not 
correspond to that of a known process. As a result, ttie nature 
of the process is more difficult to recognise. 

The cryptographic process P schematically shown, only by 

15 way of example, in FIG. 5, according to the prior art oomprises 

several steps Si (i.e., S^, 83, S^) . In each step Si, (right- 

hand) data RDi is fed to a cryptographic operation Fi- Said 
cryptographic operation may itself comprise a nxmiber of substeps, 
such as an expansion, a combination with a key, a substitution 

20 and a permutation which, however, have not been designated 

separately for the sake of the simplicity of the drawing. The 
cryptographic operation Pi provides processed data FDi: 

FDi = Fi (RDi) . 

25 

In a combinatory operation CCi (CCi, CC2, the inde^c i always 

indicating the step S in question) , the processed data FDi is 
combined with left-hand data UDi to form modified (left-hand) 
data SDi which, just as the original right-hand data RD, is 

30 passed on to the next step. The combinatory operations CCi 

preferably are XOR operations (symbol: 0) . 

As is shown in FIG. 5, at the end of each step Si the 
modified left-hand data SDi and the right-hand data RDi change 
positions in such a manner that they form the right-hand data 

35 RDi+i and the left-hand data LDi+i of the next step Si*i, 

The left-hand data LDi and the right-hand data RDi of the 
first step Si were derived, in a preceding operation, from input 
data X and, in doing so, may undergo a preparatory processing, 
such as an input permutation. The output data SDn and RDn of the 

40 last step form the processed data Y of the proces P, possibly- 

after it has undergone a final operation, such as an output 
permutation PP'^. 
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The cryptographic process of FIG. 6 largely corresponds to 
that of FIG- 5. In accordance with the invention, the data 
present in and between the steps is masked with auxiliary values. 
For this purpose, in this embodiment the first step Si is 
5 preceded by (preparatory) combinatory operations DC and EC, which 

are preferably XOR operations as well. They combine the left- 
hand data LDi and the right-hand data RDi, respectively, which 
originate from the preparatory operation (PP) , with a zeroth 
auxiliary value Ao and a first auxiliary value Ai. The results of 

10 the combinatory operations DC and EC are left-hand masked data 

IiD'i and right-hand masked data RDi ' , respectively (in the 
continuation of this text, masked data will be designated by an 
apostrophy) . The maskings make themselves felt in the siibseguent 
steps. Since the left-hand data of the second step Sa is equal 

15 to the masked right-hand data of the first step Si, said left- 

hand data IiD'2 is masked as well- The right-hand data RDj' of the 
second step is masked since it is equal to the masked, modified 
data SDi ' . 

Combining the data LDi and RDi with the auaciliary values Ai 
20 therefore results in the modified data LDi' and RDi' being masked, 

as a result of which it is considerably more difficult to derive 
the original data X or the key used from the maslced data LDi' and 
RDi' . 

In order to remove the auxiliary values Ai prior to the 

25 final operation (PP'^) , there are provided completing combinatory 

operations FC and GC, which combine the modified and masked left- 
hand data SD'n of the last step Sn with an auxiliary value A^^.! and 
the masked right-hand data RDn' with an auxiliary value A„, 
respectively. On account of Ai © Ai being zero in this manner the 

30 maskings are removed by the auxiliary values Ai, As a result, it 

is possible to carry out the method in such a maimer that, 
notwithstamding the use of the axxxiliary values Ai, the final 
data Y is equal to that which would have been obtained by the 
conventional method according to FIG. 5. 

35 In order to exclude the effect of the auxiliary values Ai on 

the results FDi of the operations Fi, in each step Si there is 
preferably present a supplementary combinatory operation ACi 
which combines the right-hand data RDi with a (primary) auxiliary 
value Ai before this data is fed to the cryptographic operation 

40 Fi. The result of each supplementary combinatory operation ACi is 

non-masked right-hand data RDi, so that the cryptographic 
operation Fi works on the same data as in the process of FIG. 5. 
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There may be advantageously inserted a further combinatory 
operation BCi between the cryptographic operation Fi and the 
combinatory operation CCi with the purpose of conibining the 
processed (right-hand) data FDi with a further (secondary) 
5 auxiliary value Bi. As a result, there may be achieved a masking 

of the processed data FDi and a further masking of the (modified) 
left-hand data SDi' . The combinatory operations ACi and BCi 
preferably are XOR operations as well. 

In accordance with a further aspect of the invention, the 
10 auxiliary values Ai and Hi are related. The secondary auxiliary 

values Bi are formed, preferably using an XOR operation, from the 
first auxiliary value Ai^i of the previous step and the auxiliary 
value. Ai+i of the next step: 

15 Hi = Ai-i © Ai^.1- 

This results in each primary auxiliary value Ai+i which, using a 
further supplementary combinatory operation BCi, is combined with 
the processed right-hand data FDi as an ingredient of the 

20 secondary auxiliary value Bi, repeatedly being conqpensated in the 

next step, i.e., step Si^i, by means of a combinatory operation ACi 
before the right-hand data RDi+i is subjected to the operation Fi. 
The (masked) right-hand data RDi' in question, which forms the 
(masked) left-hand data IJ>i+i' of the still next step Si+a are 

25 combined there with the primary auxiliary value Ai+i and is 

compensated in this manner. The auxiliary value Ai+i makes itself 
felt in the modified data SDi' , in such a manner that this 
remains masked between two steps. 

The left-hand data I*Di of the first step Si is masked with 

30 the additional or zerbth (primary) aiixiliary value A©. By 

combining, with the secondary auxiliary value Bi = A© © Aa, the 
initial auxiliary value Ao is removed {on account of Ao ^ Ao being 
zero) , but the auxiliary value A2 and the masking achieved 
therewith are maintained. The zeroth auxiliary value Ao in this 

35 embodiment is preferably chosen equal to the first auxiliary 

value Ai . 

Although all primary auxiliaary values Ai are preferably 
chosen different, with the exception of Ao = Ai, it is possible to 
choose all primary auxiliary values Ai equal. In this case, all 
40 secondary auxiliary values Bi in the embodiment shown will be 

equal to zero, so that the further combinatory operations BCi may 
be omitted. The invention further applies to processes P which 
contain only one step S, or have a deviating structure. 
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In the process of FIG. 7, which largely corresponds to that 
of FIG. S, the combinatory operations ACi and BCi cind the 
cryptographic operation Fi in each step are integrated to form a 
combined operation Fx' . Integrating the combinatoiry operations 
5 in the operations Fi is possible by suitably adjusting, e.g., a 

substitution table of the operation Fi . As a result, the 
supplementary combinatory operations ACi and BCi may be omitted 
and the result of the adjusted operation Fi' is equal to the 
result of the total of the operation Fi proper and the 
10 combinatory operations: 



FDi« = FiMRDi') = Bi © Fi (Ai ® RDi'). 
Basically, each step Si requires a different combinatory 
operation Fi in which various auxiliary values Ai are integrated 

15 (see FIG. 6) . Only if the axixiliary values Ai are chosen equal, 

i.e., Ai=A2 = ... = An, the combinatory operations Fi in this 
embodiment may be equal - 

Each time the process is carried out, the values Ai are 
preferably chosen anew. For the process of FIG. 7, this means 

20 that the combined operations Fi' are then determined anew. Since 

the operations Fi' in many implementations will comprise the use 
of several tables, such as substitution tables, said tables will 
be determined anew each time the process P is carried out. In 
order to offer a supplementary protection against attacks, 

25 according to a further aspect of the invention the tables will be 

determined in random order. If a combined operation Pi' 
comprises, e.g., eight tables, said eight tables will be 
determined in another order each time said operation Fi' is 
carried out anew. Said order may be determined on the basis of 

30 the contents of an order register, which contents may each time 

be formed by a random number originating from a random-number 
generator. On the basis of the contents of the order register 
there may each time be composed a fresh lookup table. Using the 
lookup table, the tables may be written to a memory and later be 

35 read out. 

According to a further aspect of the invention, 
supplementing this or instead thereof, the elements of each table 
may be determined and/ or stored in random order. With this 
measure it is achieved that the protection against attacks is 

40 also improved. In this case, too, there may be applied a lookup 

table on the basis of which the elements may later be retrieved. 

The measures referred to above may also be applied in 
another embodiment of the invention, such as the one of FIG. 8, 
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or in completely different other processes, whether cryptographic 
or not - 

The embodiment of FIG- 8 largely corresponds to that of 
FIG. 7. Supplementing FIG, 7, each step Si, with the exception 
of the last step Sn, includes a combinatory operation HCi which 
combines the right-hand data RDi with a tertiary aioxiliary value 
Wi, The tertiary auxiliary value Wi preferably equals the XOR 
combination of the auxiliary values Ao and Ai: 

W = Ao © Ai, 

where Ao 5t A^. 

This results in the operation HCi always adding the zeroth 
auxiliary value Ao and compensating the first auxiliary value Ax- 
As a result, it is possible that all cryptographic operations Fi 
are essentially identical, which requires a much smaller 
processing and/or storage capacity from a processor system with 
which the method is carried out. In the embodiment of FIG. 8, 
the operations Fi" are such adjustments of the original 
operations Fi, that these are corrected for the auxiliary value 
and in addition combine the tertiary auxiliary value W = A© 0 Ax 
with their result. In other words, if RD^ © Ai is fed to F" , the 
result will be equal to 
FDi'=Fi(RDi) © W. 

It will be imderstood by those skilled in the art that the 
combinatory processes ACi, BCi and HCi niay be carried out- in 
different locations in the cryptographic process P to achieve a 
comparable or even identical effect. 

FIG. 9 schematically shows a circuit 10 for implementing 
the method according to the invention. The circuit 10 comprises 
a first memory 11, a second memory 12 and a processor 13, the 
memories 11 and 12 and the processor 13 being coupled using a 
data bus 14. By providing two memories, it is possible each time 
to carry out a substep of one of the processes P and P* (see FIG. 
4), to store the result of said substep in, e.g., the first 
memory 11, and from the second memory 12 to transfer a previous 
interim result from the other process to the processor 13 . In 
this mcinner, it is possible to efficiently carry out the 
alternating confutation of substeps of two different processes. 

The payment system schematically shown in FIG. 10 con^rxses 
an electronic payment means 1 and a payment station 2 . The 
electronic payment means 1 is, e.g., a so-called smart card. 
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i.e., a card provided with an integrated circuit for storing and 
processing payment data. The payment station 2 comprises a card 
reader 21 and a processor circuit 22. The processor circuit 22 
may correspond to the circuit 10 of FIG. 9. 

At the beginning of a transaction, the payment means 1 
transmits an identification (card identification) ID to the 
payment station 2. By reference to said identification, the 
payment station 2 determines a key which will be used for said 
transaction. Said identification ID may be fed as input data X 
(see the figures 1-3) to a cryptographic process which, on the 
basis of a master key MK, produces an identification-dependent 
transaction key Ki© as output data Y. In accordance with the 
invention, for this purpose the process shown in the figures FIG. 
2 and 3 is \ised, the master key MK having been converted in 
advance, using a process R, into a supplementary master key MK* . 
Said supplementary master key MK* is now fed, preferably together 
with the identification ID, in accordance with FIG. 3, to the 
supplementary process P* in order to reproduce the original 
master key MK cind to derive the transaction key Kio from the 
identification ID. 

Although, in the figures FIG. 2 and 3, there is always 
shown one single supplementary process P*, there may possibly be 
used several processes P*, P**, P***. ... in series and/ or in 
parallel to derive the primary key K. 

It will be understood by those skilled in the art that many 
modifications and amendments are possible without departing from 
the scope of the invention. 
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CLAIMS 



1. Method for czryptographically processing data, comprising 
feeding, to a cryptographic process (P) , values, namely, the data 
5 (X) and a key (K) , and carrying out the process (P) in order to 

form cxyptographically processed data (Y) , characterised by 
feeding, to the process (P) , axixiliary values (K*; A, B) in order 
to mask the values (K; D) used in the process (P) . 

10 2 . Method according to claim 1 , wherein an axxxiliary value 

comprises a supplementairy key (K*) which is fed to a 
supplementary process (P*) in order to form the key (K) * 

3 . Method according to claim 2 , wherein the supplementary 
15 process (P*) comprises a cryptographic process to which an 

auxiliary key (K' ) is fed. 

4, Method according to claim 2 or 3 , wherein the supplementary 
process <P*) is an invertible process. 

20 

5- Method according to claim 2, 3 or 4, wherein the data (X) 
is also fed to the supplementary process (P*) . 

6. Method according to claim 5, wherein carrying out the 

25 supplementary process (P*) takes place exclusively if the data 

(X) has predetermined properties. 

7. Method according to any of the claims 2-6, wherein the 
process (P) and the supplementary process (P*) each are built up 

30 from a nximber of steps, and wherein steps of the process (P) and 

the supplementary process (P*) are alternated. 

8- Method according to any of the preceding claims, wherein 
the process (P) comprises a number of steps (Si) , each having a 

35 cryptographic operation (Fi, Fi', Fi") for processing right-hand 

data (RDi) derived from the data (X) and a corabinatoiY operation 
(Ci) for combining with left-hand data (liDi) also derived from the 
data (X) , the processed right-hand data (FDi) in order to form 
modified left data (SDi) , and wherein the right-hand data (RD^) is 

40 combined with a primary auxiliary value (Ai) prior to the first 

step (Si) and the left-hand data (LDi) is combined with an 
additional auxiliary value (Aq) . 
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9. Method according to claim 8 wherein, inunediately after the 
last step (S„) , the right-hand data (RD„) is combined with a 
further primary atixiliary value (An) and the modified left-hand 
data (SDn') is combined with a further additional axixiliary value 



10. Method according to claim 8 or 9, wherein the right-hand 
data (RDi) is combined, in each step (Si) and prior to the 
operation (Fi»), with the primary auxiliary value (Ai) of said 
step (Si) . 



11. Method according to claim 10, wherein the processed right- 
hand data (FDi) is combined, following the operation (Fi) , with 
the secondary auxiliary value (Bi) of said step (Si) . 

12. Method according to claims 10 and 11, wherein the secondary 
aiixiliary value (Bi) of a step (Si) is formed from the combination 
of the primary auxiliary value (Ai.i) of the preceding step and 
the primary auxiliary value (Ai+i) of the next step. 

13. Method according to any of the claims 8-12, wherein all 
primary auxiliary values (Ai) are equal . 

14. Method according to any of the claims 9-13, wherein the 
primary auxiliary values (Ai) and/or secondary auxiliary values 
(Bi) have each time been combined with the respective operation 
(Fi) in advance. 



15 - Method according to claim 14 , wherein a combined operation 
(Fi') contains several tables, and wherein the tables are 
determined in a different order each time the process (P) is 
carried out. 

16. Method according to claim 14 or 15, wherein a combined 
operation (Fi') contains several tables, and wherein the elements 
of the tables are determined and/or stored in a different order 
each time the process (P) is carried out. 

17. Method according to claim 16, wherein the order is stored 
as a looJcup table for the benefit of reading out the elements. 

18. Method according to any of the claims 8-17, wherein the 
right-hand data (RDi) is combined with a tertiary auxiliary value 
(Wi) after each step (Si) . 
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19. Method according to claim 18, wherein the tertiary 
auxiliary value (Wi) in all steps, except the last one (Sn) is 
equal to the combination of the primary auxiliary value (Ai) of 
the first step (SJ and the additional auxiliary value (Aq) , and 
in the last step (Sn) is equal to zero. 

20. Method according to any of the claims 8-19, wherein 
combining is carried out using an XOR operation. 

21. Method according to any of the preceding claims, wherein 
the data (X) comprises identification data of a payment means (1) 
and the processed data (Y) forms a diversified key. 

22. Method according to any of the preceding claims, wherein 
the process (P) con^rises DES, preferably triple DES - 

23. Circuit (10) for carrying out the method according to any 
of the preceding claims. 

24. Payment card (1), provided with a circuit (10) according to 
claim 23 . 



25. Payment terminal (2) provided with a circuit (10) according 
to claim 23 . 
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